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Introduction 


The Information Commissioner (the Commissioner) is calling for evidence 
and views on the Age Appropriate Design Code (the Code). 


The Code is a requirement of the Data Protection Act 2018 (the Act). The 
Act supports and supplements the implementation of the EU General Data 
Protection Regulation (the GDPR). 


The Code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. Once it has been published, the Commissioner will 
be required to take account of any provisions of the Code she considers to 
be relevant when exercising her regulatory functions. The courts and 
tribunals will also be required to take account of any provisions they 
consider to be relevant in proceedings brought before them. The Code 
may be submitted as evidence in court proceedings. 


Further guidance on how the GDPR applies to children’s personal data can 
be found in our guidance Children and the GDPR. It will be useful to read 
this before responding to the call for evidence, to understand what is 
already required by the GDPR and what the ICO currently recommends as 
best practice. In drafting the Code the ICO may consider suggestions that 
reinforce the specific requirements of the GDPR, or its overarching 
requirement that children merit special protection, but will disregard any 
suggestions that fall below this standard. 


The Commissioner will be responsible for drafting the Code. The Act 
provides that the Commissioner must consult with relevant stakeholders 
when preparing the Code, and submit it to the Secretary of State for 
Parliamentary approval within 18 months of 25 May 2018. She will publish 
the Code once it has been approved by Parliament. 


This call for evidence is the first stage of the consultation process. The 
Commissioner seeks evidence and views on the development stages of 
childhood and age-appropriate design standards for ISS. The 
Commissioner is particularly interested in evidence based submissions 
provided by: bodies representing the views of children or parents; child 
development experts; providers of online services likely to be accessed by 
children, and trade associations representing such providers. She 
appreciates that different stakeholders will have different and particular 
areas of expertise. The Commissioner welcomes responses that are 
limited to specific areas of interest or expertise and only address 
questions within these areas, as well as those that address every question 
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asked. She is not seeking submissions from individual children or parents 
in this call for evidence as she intends to engage with these stakeholder 
groups via other dedicated and specifically tailored means. 


The Commissioner will use the evidence gathered to inform further work 
in developing the content of the Code. 


The scope of the Code 


The Act affords the Commissioner discretion to set such standards of age 
appropriate design as she considers to be desirable, having 

regard to the best interests of children, and to provide such guidance as 
she considers appropriate. 


In exercising this discretion the Act requires the Commissioner to have 
regard to the fact that children have different needs at different ages, and 
to the United Kingdom’s obligations under the United Nations Convention 
on the Rights of the Child. 


During Parliamentary debate the Government committed to supporting 
the Commissioner in her development of the Code by providing her with a 
list of ‘minimum standards to be taken into account when designing it.’ 
The Commissioner will have regard to this list both in this call for 
evidence, and when exercising her discretion to develop such standards 
as she considers to be desirable 


In developing the Code the Commissioner will also take into account that 
the scope and purpose of the Act, and her role in this respect, is limited to 
making provision for the processing of personal data. 


Responses to this call for evidence must be submitted by 19 September 
2018. You can submit your response in one of the following ways: 


Online 


Download this document and email to: 


childrenandtheGDPR@ICO.org.uk 


Print off this document and post to: 

Age Appropriate Design Code call for evidence 
Engagement Department 

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 
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Cheshire SK9 5AF 


If you would like further information on the call for evidence please 
telephone 0303 123 1113 and ask to speak to the Engagement 
Department about the Age Appropriate Design Code or email 


childrenandtheGDPR@ICO.org.uk 


Privacy statement 

For this call for evidence we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 


what we do with personal data please see our privacy notice. 
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Section 1: Your views and evidence 


Background 


Founded in 1944, the British Toy & Hobby Association (BTHA) is the 
official organisation representing toy manufacturers. The BTHA has 138 
members ranging from international toy giants to small family-run 
businesses that together account for more than 85% of the UK toy 
market. Membership of the BTHA shows the member’s commitment to 
adhere to the BTHA Code of Practice under the umbrella of the Lion Mark 
promoting the highest standards of safety and quality in the manufacture 
of toys, games and playthings. 


Aside from officially representing the interests of Britain’s toy 
manufacturers, the BTHA also has wider priorities, including promoting 
the benefits of play through the Make Time 2 Play campaign, raising 
money via the industry’s charity the Toy Trust to help disadvantaged 
children, and organising the annual Toy Fair, which showcases the British 
toy industry. 


Please provide us with your views and evidence in the following areas: 


Development needs of children at different ages 


The Act requires the Commissioner to take account of the development 
needs of children at different ages when drafting the Code. 


The Commissioner proposes to use their age ranges set out in the report 
Digital Childhood - addressing childhood development milestones in the 
Digital Environment as a starting point in this respect. This report draws 
upon a number of sources including findings of the United Kingdom 
Council for Child Internet Safety (UKCCIS) Evidence Group in its literature 
review of Children’s online activities risks and safety. 


The proposed age ranges are as follows: 


3-5 
6-9 
10-12 
13-15 
16-17 


Q1. In terms of setting design standards for the processing of children’s 


personal data by providers of ISS (online services), how appropriate you 
consider the above age brackets would be (delete as appropriate): 
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Not at all appropriate 
Not really appropriate 
Quite appropriate 
Very appropriate 


Q1A. Please provide any views or evidence on how appropriate you 
consider the above age brackets would be in setting design standards for 
the processing of children’s personal data by providers of ISS (online 
services), 


We have spoken to a number of experts within our industry and beyond. 
We believe that the 3-5 bracket is likely to be accessing content with 
parental support and is very young to be understanding the concept of 
consent and risk. Therefore, we would suggest that guidance might be 
better, at this age, to recognise parental input by asking for parental 
recognition of any design standards and policies. 


The ages 13 to 17 are likely to cause some challenges for companies. It 
would be useful to have some guidance for companies on appropriate 
methods of obtaining consent for these ages as children of this age tend 
not to have identification for companies to ask for. 


Q2. Please provide any views or evidence you have on children’s 
development needs, in an online context in each or any of the above age 
brackets. 


The speed of changes in children’s development needs to be considered 
especially during early years. Additionally, there are individual differences 
between children of the same age, so this variance in maturity needs to 
be considered when setting age brackets. 


All areas of children’s development need to be considered. Children’s 
cognitive ability to understand issues around privacy and information 
sharing needs to be considered along with their social and emotional 
development - these areas of development do not develop uniformly and 
one of the biggest factors in their development is experience and 
exposure to the issues. Therefore, whilst young children need protecting 
from harm, over-protection can de-skill them and delay them from being 
able to make their own decisions around online safety as they mature. 


Key developmental milestones in a child’s ability to give informed consent 
to data use include: 

e his/her ability to understand risks 

e his/her ability to accurately predict consequences of actions 
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Many of children’s developmental needs can be supported and promoted 
online and the personalisation of many online activities enable children to 
have much more control and autonomy than they may have in other 
environments. This control and decision-making is largely beneficial to 
children’s development but needs to be increased incrementally to reflect 
developmental changes. Providing different routes through which children 
can access online content (e.g. written instructions, pictorial instructions 
and audio instructions - depending on the age) may maximise children’s 
access to and engagement with information. 


The United Nations Convention on the Rights of the Child 


The Data Protection Act 2018 requires the Commissioner to take account 
of the UK’s obligations under the UN Convention on the Rights of the Child 
when drafting the Code. 


Q3. Please provide any views or evidence you have on how the 
Convention might apply in the context of setting design standards for the 
processing of children’s personal data by providers of ISS (online 
services) 


As a general overarching principle, a child’s right to privacy should be 
balanced with a child’s right to information and choice. 


Aspects of design 


The Government has provided the Commissioner with a list of areas which 
it proposes she should take into account when drafting the Code. 


These are as follows: 

e default privacy settings, 

e data minimisation standards, 

e the presentation and language of terms and conditions and privacy 
notices, 

e uses of geolocation technology, 

e automated and semi-automated profiling, 

e transparency of paid-for activity such as product placement and 
marketing, 

e the sharing and resale of data, 

e the strategies used to encourage extended user engagement, 

e user reporting and resolution processes and systems, 

e the ability to understand and activate a child’s right to erasure, 
rectification and restriction, 

e the ability to access advice from independent, specialist advocates 
on all data rights, and 

e any other aspect of design that the commissioner considers 
relevant. 
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Q4. Please provide any views or evidence you think the Commissioner 
should take into account when explaining the meaning and coverage of 
these terms in the code. 


Default privacy settings 

The GDPR requires a company to put in place appropriate technical and 
organisational measures to implement the data protection principles - 
‘data protection by design and default’. The code should provide 
organisations with further guidance about the standards that the ICO will 
expect in this area for children. As an industry, we agree that the highest 
level of privacy should be the default setting, but companies need to have 
flexibility to evaluate what that is, dependant on the data and activity, as 
part of their own assessments. Organisations would benefit from 
understanding the ICO’s own interpretation of low risk and high-risk data 
processing, and acceptable means of collecting and processing that 
personal data. Clear guidance, with examples across different age 
categories if necessary, would aid data controllers to implement default 
privacy settings. 


Data minimisation standards 

The BTHA and its members support the data minimisation principle and 
only collecting personal data needed for the function of the product or 
service. However, obtaining age-verification and parental consent could 
be a challenge in line with this principle depending on the interpretation 
by the ICO as companies could end up collecting more data than has 
previously been necessarily to meet the requirement of the GDPR. We 
believe that informing a child of their rights and how to activate them 
once they are competent and of age to do so (as well as implementing 
company retention policies) to be a more pragmatic solution than holding 
specific ages and DOB of children. 


Guidance, including examples of data minimising practices when providing 
online services to children such as not asking for real names, DOB, ages 
of children but acceptance of tick boxes or email verification would be 
useful. Alternatively, leaving it open for companies to find their own 
solutions would be acceptable if a list of “don’t do’s” were to be provided. 


Currently, the industry does not handle a lot of personal data but as 
technology moves on and there are safer and more secure ways to do so, 
there may become more of a need to collect personal data. For example, 
metadata is incredibly important to companies for innovation and product 
development helping to improve and update products and experiences for 
children. As technology moves on, and consumer expectation demands 
inbuilt technology, or improved product development, this type of 
metadata will become more important to every industry. The guidance 
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needs to be future-proofed to allow more data collection in the future 
within the realms of allowable behaviour under the GDPR. 


The presentation and language of terms and conditions and 
privacy notices 

The Children and the GDPR guidance suggests using child friendly ways of 
presenting privacy information such as diagrams, cartoons, graphics. The 
code needs to acknowledge and accept a range of methods to present this 
information as the appropriate method will vary for different business 
depending on their size, online services offered and resource. For 
example, a privacy video may be too costly for an SME to produce. 


Whilst we specialise in communicating with children, particularly under 
12s, presenting privacy information so it carries enough detail yet can still 
be understandable by a younger child is a particular challenge for 
businesses. Children may only start understanding the concept of ‘privacy 
and being able to make informed decisions based on their understanding 
of privacy from around 8+ and this will vary from child to child. This 
needs to be acknowledged in the meaning of the code. 


1 


Mixed aged users who are on the same online services, yet at very 
different development stages, could be a challenge for companies in 
deciding how best to present terms and conditions, and privacy notices. It 
would be useful to organisations when implementing the code if there was 
greater clarity on the ICO’s interpretation of at what age a child is 
believed to be competent to understand privacy notices. We believe there 
is an opportunity for further research in this area to learn more and have 
members who have indicated a willingness to help explore this if that is of 
interest to you. 


As with many of the new data protection requirements, educating 
consumers on privacy notices, and terms and conditions will be 
paramount to help consumers understand and activate their rights. 


Uses of geolocation technology 

When using geolocation technology, as an industry we would assume the 
user would be required to give consent to the use of this information, and 
consequently parental consent would be needed for children under 12. 
The code needs to make clear who is responsible for offering a solution to 
collecting geolocation information as part of privacy default settings. We 
understand that this should be the responsibility of the internet service 
provider that offers the technology rather than a brand within that service 
otherwise it could become incredibly difficult for children (and parents) to 
understand that every piece of content they interact with has different 
terms of use and to monitor that use: it would make more sense from a 
consumer interaction that the privacy settings on a platform are set 
across the whole of that content. We understand that there are 
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discussions taking place in this area in Europe as part of the ePrivacy 
Directive. Although it is likely that the UK will have left the EU before this 
is finalised, we wanted to ask if this would have an impact on this code in 
the future to reflect any changes at a European level? 


To help organisations determine default privacy settings, such as 
automatic disabling, organisations would value guidance and clarity on 
how long the ICO believes consent should be valid for. This will help 
companies in their decision making. 


Automated and semi-automated profiling 

The GDPR states you should not subject children to decisions based solely 
on automated processing (including profiling) if these have a legal or 
similarly significant effect on them. We feel that this is an area which is 
currently quite vague, and organisations would welcome greater clarity 
and practical understanding to help them make informed decisions for 
profiling across different age bands. To help responsible companies get 
this right, it would be useful for the code to provide examples of practices 
deemed acceptable/unacceptable by the regulator. This would give 
companies a better understanding of how to collect data responsibly. 


Sharing and resale of data 
With this already covered in the ICO Data Sharing Code of Practice, we 
believe there should be nothing additional or specific to add in this code. 


The strategies used to encourage extended user engagement 
Organisations need to be free to develop and implement fun and engaging 
content in a way that they choose as long as their data processing 
activities are transparent and within the requirements of the law. This will 
be impacted by the ICO’s interpretation of validity of consent to process 
for this purpose. 


User reporting and resolution processes and systems 

As with the presentation and language of terms and conditions / privacy 
notices, there needs to be acknowledgment of the need to explain how 
issues are reported and resolved to both children and their parents when 
directed at younger children. Again, the code should not force the use of 
solutions that may be too costly for businesses, to create a level playing 
field. 


The ability to understand and activate a child’s right to erasure, 
rectification and restriction 

Like adults, children have the right to have their personal data erased, 
rectified or restricted in certain circumstances under the GDPR and 
organisations need to provide users with easy access to request erasure, 
rectification, and restriction of any of their personal data. We would ask 
that the principles of these rights need guidance to remain consistent to 
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both parents and children, but companies need to have the freedom to 
work out how best to deliver that information. 


We agree that Children need to be able to understand their rights and 
how to act on them (particularly when a parent has given consent on their 
behalf) but it’s important there is not a requirement that organisations 
have to reconfirm consent once the child is at the age of consent as 
addressed in the ICO’s Children and the GDPR guidance. This may also 
reduce the need to ask for date-of-birth details during early consent 
processes. We agree it would be better for the activation of your rights to 
be addressed and transparent in clear privacy notices. This should be 
clarified in the code to help organisations understand the validity of 
consent given by a parent. 


The ability to access advice from independent, specialist 
advocates on all data rights 

As an industry we understand the need to consult with children when 
developing products and services specifically for them, and this is often 
practiced within our industry to ensure the needs of children are met. 
There are many different ways of fulfilling this practice and therefore 
seeking specialist child rights advocates or third-party facilitators 
shouldn't be a compulsory requirement. 


Do the ICO have a list of specialist child’s rights advocates in mind to 
guide organisations exploring this option? 


Q5. Please provide any views or evidence you have on the following: 


Q5A. about the opportunities and challenges you think might arise in 
setting design standards for the processing of children’s personal data by 
providers of ISS (online services), in each or any of the above areas. 


We have tried to address opportunities and challenges within the answers 
above although we would also like to highlight a few separate overarching 
points here: 


The ICO and the age-appropriate design code needs to acknowledge how 
quickly technology is developing and the impact this will have on data 
protection. As technology and systems develop there will be an increase 
in the number of ways personal data can and will be collected for the 
functioning of products in the future, including better access to improved 
security systems, and safer ways to collect and handle personal data. For 
example, it is now common practice to use thumb print recognition rather 
than passwords or pin numbers. It is important that the standards in the 
design code are not so prescriptive that companies are restricted or 
discouraged from handling personal data or using new technologies to 
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collect personal data. For example, metadata is crucial for innovation and 
needed to help develop new products or update existing ones. This needs 
to be acknowledge by the ICO to ensure the code is futureproofed. 


Another challenge we foresee, as we see with product safety, is 
enforcement and policing of any standards. It is important that the ICO 
recognises the difference between responsible and irresponsible 
companies and that this is reflected in enforcement action and fines. From 
our experience on product safety, we believe there are three types of 
companies which should be recognised; the responsible companies who 
always try to do the right thing, companies who may lack technical 
knowledge or expertise but want to do the right thing and simply need 
help and advice to help them get it right in the future, and then those 
companies who have no intention of meeting requirements. The 
responsible industry will invest heavily to meet regulation and as in the 
offline world, rogue businesses will take no notice and undercut 
responsible brands. As with the offline world we feel it’s important this 
distinction is made to ensure the regulator works with and supports the 
responsible industry whilst targeting those bad actors to deter them in the 
future. 


A final point is that the design standards should not require the use of 
third-parties or force the use of expensive methods so that it is difficult 
for smaller and medium companies to implement. There needs to be a 
level playing field created for all organisations, regardless of size to 
implement the code. 


Q5B. about how the ICO, working with relevant stakeholders, might use 
the opportunities presented and positively address any challenges you 
have identified. 


With our experience making children’s products we believe it would be a 
good opportunity for the toy industry to work with the ICO in further 
development of the code to ensure it is workable, feasible and pragmatic 
for industry to implement whilst protecting children. A collaborative 
approach would be beneficial to producing solutions that are understood 
and accepted by both industry and consumers. BTHA members would be 
most interested in supporting the ICO in any further stakeholder 
engagement work and the BTHA would be happy to facilitate this work. 


Q5C. about what design standards might be appropriate (i.e where the 
bar should be set) in each or any of the above areas and for each or any 
of the proposed age brackets. 


Q5D. examples of ISS design you consider to be good practice. 
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We believe there are good examples within our membership and would be 
happy to put the ICO in contact with companies to support this piece of 
work. 


Q5E. about any additional areas, not included in the list above that you 
think should be the subject of a design standard. 


Q6. If you would be interested in contributing to future solutions focussed 
work in developing the content of the code please provide the following 
information. The Commissioner is particularly interested in hearing from 
bodies representing the views of children or parents, child development 
experts and trade associations representing providers of online services 
likely to be accessed by children, in this respect. 


Name: i 
Email: © btha.co.uk 


Brief summary of what you think you could offer: 


Access to members who would be willing to test out methods of engaging 
parents and children and testing out ICO guidance on practically 
implementing solutions with differing sizes of companies. 


Further views and evidence 


Q7. Please provide any other views or evidence you have that you 
consider to be relevant to this call for evidence. 


It would be useful as a narrative, alongside the guidance, to explain the 
impact of Brexit on this advice. This is clearly meant to be a UK solution 
but it would be useful to companies to know if this will be more widely 
accepted as an interpretation across Europe, and whether there is likely 
to be areas of future divergence. 
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Section 2: About you 


Are you: 


A body representing the views or interests of children? 
Please specify: 


A body representing the views or interests of parents? 
Please specify: 


A child development expert? 
Please specify: 


A provider of ISS likely to be accessed by children? 
Please specify: 


A trade association representing ISS providers? 
Please specify: 


British Toy & Hobby Association 


An ICO employee? 


Other? 
Please specify: 


Thank you for responding to this call for evidence. 
We value your input. 
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